Merge pull request #3293 from hashicorp/f-self-token
Allow querying self token
This commit is contained in:
Alex Dadgar
GitHub
commit
b772fb650e
|
|
@ -622,10 +622,13 @@ func (a *ACL) GetToken(args *structs.ACLTokenSpecificRequest, reply *structs.Sin
|
||||||
}
|
}
|
||||||
defer metrics.MeasureSince([]string{"nomad", "acl", "get_token"}, time.Now())
|
defer metrics.MeasureSince([]string{"nomad", "acl", "get_token"}, time.Now())
|
||||||
|
|
||||||
// Check management level permissions
|
acl, err := a.srv.resolveToken(args.SecretID)
|
||||||
if acl, err := a.srv.resolveToken(args.SecretID); err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
} else if acl == nil || !acl.IsManagement() {
|
}
|
||||||
|
|
||||||
|
// Ensure ACLs are enabled and this call is made with one
|
||||||
|
if acl == nil {
|
||||||
return structs.ErrPermissionDenied
|
return structs.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -640,6 +643,19 @@ func (a *ACL) GetToken(args *structs.ACLTokenSpecificRequest, reply *structs.Sin
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if out == nil {
|
||||||
|
// If the token doesn't resolve, only allow management tokens to
|
||||||
|
// block.
|
||||||
|
if !acl.IsManagement() {
|
||||||
|
return structs.ErrPermissionDenied
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check management level permissions or that the secret ID matches the
|
||||||
|
// accessor ID
|
||||||
|
} else if !acl.IsManagement() && out.SecretID != args.SecretID {
|
||||||
|
return structs.ErrPermissionDenied
|
||||||
|
}
|
||||||
|
|
||||||
// Setup the output
|
// Setup the output
|
||||||
reply.Token = out
|
reply.Token = out
|
||||||
if out != nil {
|
if out != nil {
|
||||||
|
|
|
||||||
|
|
@ -509,6 +509,16 @@ func TestACLEndpoint_GetToken(t *testing.T) {
|
||||||
}
|
}
|
||||||
assert.Equal(t, uint64(1000), resp.Index)
|
assert.Equal(t, uint64(1000), resp.Index)
|
||||||
assert.Nil(t, resp.Token)
|
assert.Nil(t, resp.Token)
|
||||||
|
|
||||||
|
// Lookup the token by accessor id using the tokens secret ID
|
||||||
|
get.AccessorID = token.AccessorID
|
||||||
|
get.SecretID = token.SecretID
|
||||||
|
var resp2 structs.SingleACLTokenResponse
|
||||||
|
if err := msgpackrpc.CallWithCodec(codec, "ACL.GetToken", get, &resp2); err != nil {
|
||||||
|
t.Fatalf("err: %v", err)
|
||||||
|
}
|
||||||
|
assert.Equal(t, uint64(1000), resp2.Index)
|
||||||
|
assert.Equal(t, token, resp2.Token)
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestACLEndpoint_GetToken_Blocking(t *testing.T) {
|
func TestACLEndpoint_GetToken_Blocking(t *testing.T) {
|
||||||
|
|
|
||||||
|
|
@ -241,7 +241,7 @@ The table below shows this endpoint's support for
|
||||||
|
|
||||||
| Blocking Queries | Consistency Modes | ACL Required |
|
| Blocking Queries | Consistency Modes | ACL Required |
|
||||||
| ---------------- | ----------------- | ------------ |
|
| ---------------- | ----------------- | ------------ |
|
||||||
| `YES` | `all` | `management` |
|
| `YES` | `all` | `management` or a SecretID matching the AccessorID |
|
||||||
|
|
||||||
### Sample Request
|
### Sample Request
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue